Question - Origins of CWS and other particularly nasty spyware.

So I might be making a silly request, but I've been searching around for about an hour and I haven't seen my answer obviously posted anywhere.

I notice that lots of people are victims of CWS hijacking, but no one indicates where they were browsing to receive the CWS installation.

I write scripts and provide solutions to remove software for users at my job. The first thing that I always have before trying to determine how a piece of software installs itself is to get my hands on the installation package.

If anyone has a copy of the installer or if they know what URL they were browsing to on the web when they were hijacked, making this information public would be very useful for those of us who are working to provide solutions to remove the nastyware.

This seems so obvious to me that such information would be valuable. Perhaps I overlooked the link that says, "WHATEVER YOU DO, DON'T CLICK ON THIS LINK, BUT HERE IS THE INSTALL SOURCE FOR CWS", but I have not seen it yet. I do realize that casual browsing does not lend itself to any sort of scientific method that would help us determine the origins of the CWS install, but I thought it would be worth asking.

Yeah, thanks for the suggestion, but I've already been there and did not see a source location. The cexx.org forums have a listing of domains that were known to cause the hijacking, but I can't seem to coax the component to install. I guess my test box is patched to prevent the exploit. I don't know if this is the case, I am just speculating.